-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read PostgreSQL admin password from connection secret #284
Conversation
- Fixes crossplane-contrib#230 Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
We also need the CI pipeline fixes implemented here: |
@@ -146,6 +149,23 @@ func (e *external) Observe(ctx context.Context, mg resource.Managed) (managed.Ex | |||
return o, nil | |||
} | |||
|
|||
func (e *external) getPassword(ctx context.Context, cr *v1beta1.PostgreSQLServer) (string, error) { | |||
if cr == nil || cr.Spec.WriteConnectionSecretToReference == nil || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if cr == nil || cr.Spec.WriteConnectionSecretToReference == nil || | |
if cr.Spec.WriteConnectionSecretToReference == nil || |
nitpick: we'd need to place nil guard to just too many spaces if we were to check existence of the CR. So, we usually assume it's there after the classic cr, ok := mg.(*v1beta1.PostgreSQLServer)
statement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
if pw == "" { | ||
pw, err = e.newPasswordFn() | ||
} | ||
if err != nil { | ||
return managed.ExternalCreation{}, errors.Wrap(err, errGenPassword) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if pw == "" { | |
pw, err = e.newPasswordFn() | |
} | |
if err != nil { | |
return managed.ExternalCreation{}, errors.Wrap(err, errGenPassword) | |
} | |
if pw == "" { | |
pw, err = e.newPasswordFn() | |
if err != nil { | |
return managed.ExternalCreation{}, errors.Wrap(err, errGenPassword) | |
} | |
} | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was worrying that reviewers would not like the nested ifs :)
Done.
pw, err := e.getPassword(ctx, cr) | ||
if err != nil { | ||
return managed.ExternalCreation{}, err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought you said it'd save the password to the connection secret before triggering the creation. Is that not the case anymore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, it was never the case (also not the case when I ran the above set of experiments). We still leave it to the managed reconciler.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. So, we save the password after a successful CreateServer
call via the managed reconciler and if CreateServer
is ever called again, we'd be getting the password from connection secret.
- Make kind version used in e2e tests configurable - Update kind version to 0.11.1 - Update kind node image version to 1.19.11 - These are needed to get e2e tests running. Please see: crossplane-contrib/provider-aws#782 (comment) Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! As we discussed, normally we have secret refs for password input that we use to get the password and if we do want to autogenerate it, so far, we've written the generated password to that input secret and then treated it like user input in the subsequent operations. But since some parts of this would require change in the behavior, it's fine to use connection details but it'd be great if we have an issue opened to add input secret ref field.
Description of your changes
This PR proposes a fix for the wrong password in the generated connection secret issue discussed in #230. The proposed behavior is backwards-compatible and in case multiple
Creates
are called and if a connection secret is defined, we make sure that the password initially used to make the Azure PostgreSQLServer create call is reused, effectively preventing multiple erroneous password generations and the issue described in #230.Fixes #230
I have:
make reviewable test
to ensure this PR is ready for review.How has this code been tested
I have written a test script that does the following in a loop:
az postgres server firewall-rule create
against this newly provisioned instance to allow connections from my workstationpsql
using the credentials and the connection info stored in the connection secret.With the proposed fix, issue #230 has not been observed in 10 iterations of the above loop. However, running the experiment with the head of the master branch, out of 10 trials, 8 were successful and 2 have failed with the issue reported in #230 (
psql: error: FATAL: password authentication failed for user "myadmin"
).Manifests used for the experiments are as follows. These are some stripped down versions of the manifests given here by @haraldatbmw: